CORS和HTTP基本身份验证 [英] CORS and HTTP basic auth

查看:358
本文介绍了CORS和HTTP基本身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

一个preflighted HTTP请求如何会是什么样子,如果你包括基本身份验证?像下面的谈话?有闹明白这头需要发送的地方,也因为其无法与萤火虫正确调试它IM

客户:

 选项/ API /资源HTTP / 1.1
访问控制请求-方法:GET
原产地:http://jsconsole.com

服务器:

  HTTP / 1.1 200 OK
访问控制允许来源:*
访问控制允许的方法:POST,GET,PUT,DELETE
访问控制允许报头:授权
访问控制,最大年龄:1728000
访问控制允许的凭据:真

客户:

  GET / API /资源HTTP / 1.1
访问控制请求-方法:GET
访问控制允许的凭据:真
原产地:http://jsconsole.com

服务器:

  HTTP / 1.1 401未经授权
访问控制允许来源:*
访问控制允许的方法:POST,GET,PUT,DELETE
访问控制允许报头:授权
访问控制,最大年龄:1728000
访问控制允许的凭据:真
WWW身份验证:基本境界=授权必需

客户:

  GET / API /资源HTTP / 1.1
访问控制允许的凭据:真
授权:基本base64en codedUserAndPassword
访问控制请求-方法:GET
原产地:http://jsconsole.com

服务器:

  HTTP / 1.1 200 OK
访问控制允许来源:*
访问控制允许的方法:POST,GET,PUT,DELETE
访问控制允许报头:授权
访问控制,最大年龄:1728000
访问控制允许的凭据:真


解决方案

如果您请求证书,那么服务器必须与访问控制允许来源响应头的具体起源回应(因此不能使用通配符*)。当然,它会接着还需要与响应访问控制允许的凭据也响应头。

How would a preflighted HTTP request look like if you include Basic auth? Like the following conversation? Im having trouble to understand which headers need to be sent where, also because its not possible to debug it properly with Firebug

Client:

OPTIONS /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Origin: http://jsconsole.com

Server:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true

Client:

GET /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Access-Control-Allow-Credentials: true
Origin: http://jsconsole.com

Server:

HTTP/1.1 401 Unauthorized
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
WWW-Authenticate: Basic realm="Authorisation Required"

Client:

GET /api/resource HTTP/1.1
Access-Control-Allow-Credentials: true
Authorization: Basic base64encodedUserAndPassword
Access-Control-Request-Method: GET
Origin: http://jsconsole.com

Server:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true

解决方案

If you're requesting credentials then the server must respond with the specific origin in the Access-Control-Allow-Origin response header (and thus can't use the wildcard *). Of course it would then also need to respond with Access-Control-Allow-Credentials response header too.

这篇关于CORS和HTTP基本身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
ASP .NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆